Package com.sdl.delivery.security

Class RequestArgumentsSanitizer

java.lang.Object
com.sdl.delivery.security.RequestArgumentsSanitizer
public class RequestArgumentsSanitizer extends Object
This class presents utility methods to protect Loggers from CR (NL, CF) characters, which may fake log messages. The kit supports sanitizing a single parameter with using method 'sanitize', bunch of parameters with method 'getSanitizedCopy' or even as a straight-forward replacing for Logger. USAGE: it's safer to use: sanitize(java.lang.Object)(LOG, LogLevel.DEBUG, "arg {}", publicationId); instead of: LOG.debug("arg {}", publicationId); or use sanitize(java.lang.Object)(LOG, LogLevel.ERROR, "Invalid arg {} provided", publicationId, new IllegalArfumentException()); instead of* LOG.error("Invalid arg {} provided", publicationId, new IllegalArfumentException());

  • Method Details

    • getSanitizedCopy

      public static Object[] getSanitizedCopy(Object... argArray)
      Returns an array of given arguments, each of them is safe for printing in logs, as arguments are having CR (NL, CR) replaced with safe character "⬎" (to continue representing replaced chars).
      Parameters:
      argArray - is an array with elements to sanitize.
      Returns:
      an array with sanitized elements. which may be safe logged.

    • sanitize

      public static Object sanitize(Object arg)
      Provides replacing CR (NL, CF) character with "⬎".
      Parameters:
      arg - o sanitize.
      Returns:
      sanitized parameter ( safe for logging it).

    • sanitizeTrace

      public static void sanitizeTrace(org.slf4j.Logger log, EventType eventTypeArg, String message, Object... args)
      Utility method to replace LOG.trace methods. It is meant how messages to be logged.
      Parameters:
      log - Logger for which message is sanitized.
      eventTypeArg - type of security event to be logged.
      message - to be printed in log.
      args - replacements for holders {} in given message.

    • sanitizeDebug

      public static void sanitizeDebug(org.slf4j.Logger log, EventType eventTypeArg, String message, Object... args)
      Utility method to replace LOG.debug methods. It is meant how messages to be logged.
      Parameters:
      log - Logger for which message is sanitized.
      eventTypeArg - type of security event to be logged.
      message - to be printed in log.
      args - replacements for holders {} in given message.

    • sanitizeInfo

      public static void sanitizeInfo(org.slf4j.Logger log, EventType eventTypeArg, String message, Object... args)
      Utility method to replace LOG.info methods. It is meant how messages to be logged.
      Parameters:
      log - Logger for which message is sanitized.
      eventTypeArg - type of security event to be logged.
      message - to be printed in log.
      args - replacements for holders {} in given message.

    • sanitizeWarn

      public static void sanitizeWarn(org.slf4j.Logger log, EventType eventTypeArg, String message, Object... args)
      Utility method to replace LOG.warn methods. It is meant how messages to be logged.
      Parameters:
      log - Logger for which message is sanitized.
      eventTypeArg - type of security event to be logged.
      message - to be printed in log.
      args - replacements for holders {} in given message.

    • sanitizeError

      public static void sanitizeError(org.slf4j.Logger log, EventType eventTypeArg, String message, Object... args)
      Utility method to replace LOG.error methods. It is meant how messages to be logged.
      Parameters:
      log - Logger for which message is sanitized.
      eventTypeArg - type of security event to be logged.
      message - to be printed in log.
      args - replacements for holders {} in given message.

    • sanitize

      public static void sanitize(org.slf4j.Logger log, String logLevelArg, EventType eventType, String message, Object... args)
      Overridden method for sanitize(java.lang.Object) to add compatibility with OWASP ESAPI. As it has 'warning' method instead of widely used 'warn'.
      Parameters:
      log - logger to where the log will be put.
      logLevelArg - log level, one of 'trace', 'debug', 'info', etc.
      eventType - event type for being compatible with OWASP ESAPI.
      message - log message to be logged (placeholders {} are allowed).
      args - arguments for placeholders in message.

    • sanitize

      public static void sanitize(org.slf4j.Logger log, String logLevel, String message, Object... args)
      Overridden method for sanitize(java.lang.Object) to add compatibility with OWASP ESAPI. As it has 'warning' method instead of widely used 'warn'. Event type is SUCCESS.
      Parameters:
      log - logger to where the log will be put.
      logLevel - log level, one of 'trace', 'debug', 'info', etc.
      message - log message to be logged (placeholders {} are allowed).
      args - arguments for placeholders in message.